Name |
Manipulating Hidden Fields |
|
Likelyhood of attack |
Typical severity |
Medium |
High |
|
Summary |
An adversary exploits a weakness in the server's trust of client-side processing by modifying data on the client-side, such as price information, and then submitting this data to the server, which processes the modified data. For example, eShoplifting is a data manipulation attack against an on-line merchant during a purchasing transaction. The manipulation of price, discount or quantity fields in the transaction message allows the adversary to acquire items at a lower cost than the merchant intended. The adversary performs a normal purchasing transaction but edits hidden fields within the HTML form response that store price or other information to give themselves a better deal. The merchant then uses the modified pricing information in calculating the cost of the selected items. |
Prerequisites |
The targeted site must contain hidden fields to be modified. The targeted site must not validate the hidden fields with backend processing. |
Solutions | |
Related Weaknesses |
CWE ID
|
Description
|
CWE-602 |
Client-Side Enforcement of Server-Side Security |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-77 |
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables. |
|